AWS bedrock-agentcore high security documentation change
Summary
Added 'callback_url' parameter to OAuth2 decorator configuration and improved code formatting
Security assessment
The addition of 'callback_url' parameter helps implement proper session binding in OAuth2 flows, which is critical for preventing authorization code interception attacks. This addresses potential security vulnerabilities in the authorization flow implementation.
Diff
diff --git a/bedrock-agentcore/latest/devguide/identity-authentication.md b/bedrock-agentcore/latest/devguide/identity-authentication.md index ffe186bb6..e3c1aae49 100644 --- a//bedrock-agentcore/latest/devguide/identity-authentication.md +++ b//bedrock-agentcore/latest/devguide/identity-authentication.md @@ -13,11 +13,15 @@ AgentCore Identity enables developers to obtain OAuth tokens for either user-del - @requires_access_token(# Uses the same credential provider name created above - provider_name= "google-provider", - # Requires Google OAuth2 scope to access Google Drive - scopes= ["https://www.googleapis.com/auth/drive.metadata.readonly"], - # Sets to OAuth 2.0 Authorization Code flow - auth_flow= "USER_FEDERATION", - # Prints authorization URL to console - on_auth_url= lambda x: print("\nPlease copy and paste this URL in your browser:\n" + x), - # If false, caches obtained access token - force_authentication= False,)async def write_to_google_drive(*, access_token: str): - # Use the token to call Google Drive + @requires_access_token( + # Uses the same credential provider name created above + provider_name= "google-provider", + # Requires Google OAuth2 scope to access Google Drive + scopes= ["https://www.googleapis.com/auth/drive.metadata.readonly"], + # Sets to OAuth 2.0 Authorization Code flow + auth_flow= "USER_FEDERATION", + # Prints authorization URL to console + on_auth_url= lambda x: print("\nPlease copy and paste this URL in your browser:\n" + x), + # If false, caches obtained access token + force_authentication= False, + callback_url='insert_oauth2_callback_url_for_session_binding', + ) + async def write_to_google_drive(*, access_token: str): + # Use the token to call Google Drive @@ -31,3 +35,7 @@ The process is similar to obtain a token for machine-to-machine calls, as shown - @requires_access_token(provider_name= "my-api-key-provider", # replace with your own credential provider name - scopes= [], - auth_flow= 'M2M',)async def need_token_2LO_async(*, access_token: str): + + @requires_access_token( + provider_name= "my-api-key-provider", # replace with your own credential provider name + scopes= [], + auth_flow= 'M2M', + ) + async def need_token_2LO_async(*, access_token: str): @@ -111,0 +120 @@ For three-legged OAuth (3LO) flows, your agent needs to provide the authorizatio + callback_url='insert_oauth2_callback_url_for_session_binding' @@ -135,0 +145 @@ For three-legged OAuth (3LO) flows, your agent needs to provide the authorizatio + callback_url='insert_oauth2_callback_url_for_session_binding' @@ -167,0 +178 @@ For three-legged OAuth (3LO) flows, your agent needs to provide the authorizatio + callback_url='insert_oauth2_callback_url_for_session_binding'